diff --git a/source/server/apistatusd.py b/source/server/apistatusd.py index a59b555..563960f 100755 --- a/source/server/apistatusd.py +++ b/source/server/apistatusd.py @@ -43,35 +43,51 @@ def print_config(config): for i in config[section]: logging.debug(' {}: {}'.format(i, config[section][i])) - def print_ciphers(cipherlist): ''' Prints the list of allowed ciphers. param1: dictionary return: boolean ''' - print('Available ciphers') + logging.debug('Available ciphers') for i in cipherlist: - print('\n') for j in i.keys(): - print('{}: {}'.format(j, i[j])) - print('\n') + if j in ('name', 'protocol'): + logging.debug('{}: {}'.format(j, i[j])) +def print_context(ctx): + ''' + Prints the ssl settings for the given ssl context. + param1: context object + ''' + logging.debug('----------- context ----------------') + logging.debug('Minimum version ssl: {}'.format(ctx.minimum_version)) + logging.debug('Maximum version ssl: {}'.format(ctx.maximum_version)) + logging.debug('SSL options enabled: {}'.format(ctx.options)) + logging.debug('Protocol: {}'.format(ctx.protocol)) + logging.debug('Verify flags certificates: {}'.format(ctx.verify_flags)) + logging.debug('Verify mode: {}'.format(ctx.verify_mode)) + print_ciphers(ctx.get_ciphers()) + logging.debug('------------------------------------') def display_peercert(cert): ''' Displays the values of a given certificate. - param1: dictionary - return: boolean + param1: dictionary or none ''' - for i in cert.keys(): - print('{}:'.format(i)) - if i in ('subject', 'issuer'): - for j in cert[i]: - print('\t{}'.format(j)) - else: - print('\t{}'.format(cert[i])) - + if cert == None: + logging.debug('Peer does not offer a certificate') + elif len(cert) == 0: + logging.debug('Peer certificate was not valid') + else: + logging.debug('Peer certificate commonName: {}'.format( + cert['subject'][5][0][1])) + logging.debug('Peer certificate serialNumber: {}'.format( + cert['serialNumber'])) + logging.debug('Peer certificate notBefore: {}'.format( + cert['notBefore'])) + logging.debug('Peer certificate notAfter: {}'.format( + cert['notAfter'])) def receive_buffer_is_valid(raw_data): ''' @@ -225,12 +241,11 @@ def main(): context.load_cert_chain(certfile=config['server']['cert'], keyfile=config['server']['key']) context.load_verify_locations(cafile=config['client']['cert']) - context.set_ciphers('EECDH+AESGCM') # only ciphers for tls 1.2 and 1.3 context.options = ssl.OP_CIPHER_SERVER_PREFERENCE # ensure, compression is disabled (disabled by default anyway at the moment) context.options |= ssl.OP_NO_COMPRESSION logging.debug('SSL context created') - # print_ciphers(context.get_ciphers()) + print_context(context) with socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0) as mySocket: logging.debug('Socket created') @@ -263,13 +278,18 @@ def main(): conn.settimeout(float(config['general']['timeout'])) except socket.timeout: logging.error('Socket timeout') + continue except Exception as e: logging.error('Connection failed: {}'.format(e)) + continue logging.info('Connection established') - logging.info('Peer certificate commonName: {}'.format( - conn.getpeercert()['subject'][5][0][1])) - logging.debug('Peer certificate serialNumber: {}'.format( - conn.getpeercert()['serialNumber'])) + try: + cert = conn.getpeercert(binary_form=False) + display_peercert(cert) + except ValueError: + logging.debug('SSL handshake has not been done yet') + except Exception as e: + logging.debug('Unexpected error: {}'.format(e)) raw_data = conn.recv(1) if receive_buffer_is_valid(raw_data) is True: